CNTRLPLANE-2241: kms: add helper for TechPreview V1

[bertinatto]

/assign @ardaguclu @benluddy @p0lyn0mial

Proof PR: openshift/cluster-kube-apiserver-operator#2015

[bertinatto]

/hold
For openshift/api#2669

[ardaguclu]

/lgtm
This looks good to me. I also opened #2091 for the new FG.

[p0lyn0mial]

should we check if the mount doesn't already exist ? :)

otherwise we might add it multiple times.
also worth adding a test case for this ^

[bertinatto]

Good point. This would be a problem if:

1. This function is called multiple times per sync;
2. Another routine adds a mount with the same name;

In both cases, I believe this function should fail rather than preventing the addition of the duplicate, and that's the currently behavior. Do you think it fail silently instead?

Alternatively, I could add a check with a different error, but I'm not sure it's worth it.

No strong opinions, though. I'm happy to change if you disagree.

[bertinatto]

BTW, in pkg/operator/v1helpers/helpers.go we do the same thing

[p0lyn0mial]

Do you think it fail silently instead?

My idea was to simply check whether the volume/mount exists before adding it to the list.
I understand that the assumption is that this function will receive a pod that does not contain the volume/mounts.

If we don’t want to add these checks, would it make sense to at least document this assumption in the function’s docs?

[bertinatto]

Makes sense, added a doc

[p0lyn0mial]

should we check if the volume doesn't already exist ? :)

otherwise we might add it multiple times.
also worth adding a test case for this ^

[bertinatto]

See my previous comment

[p0lyn0mial]

i think this is what we usually return when FG hasn't been observed, right ?

[bertinatto]

Right, in that case it's not possible to make a decision

[p0lyn0mial]

maybe we should also already Deprecate it :) ?

[ardaguclu]

That makes sense :)

[bertinatto]

Changed it, but deprecated usually means "don't use this, use X instead", so it implies that an alternative exists

[bertinatto]

From https://prow.ci.openshift.org/view/gs/test-platform-results/logs/openshift-cluster-kube-apiserver-operator-2015-nightly-4.22-e2e-vsphere-ovn-techpreview/2016149344322850816:

$ omc get featuregate cluster -o jsonpath='{.status.featureGates[].enabled[?(@.name=="KMSEncryption")]}'
{"name":"KMSEncryption"}

$ omc -n openshift-kube-apiserver get pod/kube-apiserver-ci-op-5npgdx95-b7629-bbrjx-master-0 -o json | jq .spec.containers[0].volumeMounts[5]
{
  "mountPath": "/var/run/kmsplugin",
  "name": "kms-plugin-socket"
}

$ omc -n openshift-kube-apiserver get pod/kube-apiserver-ci-op-5npgdx95-b7629-bbrjx-master-0 -o json | jq .spec.volumes[5]
{
  "hostPath": {
    "path": "/var/run/kmsplugin",
    "type": "DirectoryOrCreate"
  },
  "name": "kms-plugin-socket"
}

/hold cancel

[ardaguclu]

This looks good to me. But I'll defer the tag to @p0lyn0mial

[p0lyn0mial]

This is a personal preference.

I really like it when test definitions include inputs and expected outputs. It allows me to review test cases without looking at the logic.

If you feel the same way, we could slightly update the unit test to include actualPod and expectedPod (with the expected volumes).

[bertinatto]

Ack; included actualPod and expectedPod

[openshift-ci]

@bertinatto: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[p0lyn0mial]

/lgtm

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: ardaguclu, bertinatto, p0lyn0mial

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• pkg/operator/encryption/OWNERS [bertinatto,p0lyn0mial]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@bertinatto: This pull request references CNTRLPLANE-2241 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

Details

In response to this:

/assign @ardaguclu @benluddy @p0lyn0mial

Proof PR: openshift/cluster-kube-apiserver-operator#2015

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.